The purchase of commercial general liability and umbrella insurance policies are ways to protect your business from liability. However, these types of policies have not adapted to protect policyholders from certain types of cyber liability. This issue was recently exposed in a case against Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc. (collectively “Urban Outfitters”). Urban Outfitters found itself with no suitable insurance coverage when facing several lawsuits for privacy infringement that resulted from credit card transactions. Many businesses collect customer data and infringements of customer privacy may not be covered by traditional insurance policies. Do you run a business that collects consumer data? Are you unsure how far your insurance coverage extends in protecting against consumer data breaches? If so, then you may contact us to speak to an attorney about whether you should obtain cyber liability insurance.
What Was the Issue in the Urban Outfitters Case?
In OneBeacon America Insurance Company v. Urban Outfitters, et al., Urban Outfitters was sued in three different states for consumer privacy breaches. Urban Outfitters was sued because of its practice of collecting consumer zip code information when processing credit card transactions. This practice violated multiple consumer privacy laws. Urban Outfitters then looked to its insurance company to defend the multiple lawsuits. However, the insurance company claimed that its general liability policy did not cover that kind of privacy breach. The federal court in Pennsylvania agreed, and held that the insurance company was not obligated to defend Urban Outfitters in any of the lawsuits. The general liability policy only covered “oral or written publication of material that violates a person’s right of privacy,” and even though Urban Outfitters violated consumer privacy, it never published that material.
What Lessons Can Businesses Learn From the Urban Outfitters Case?
In general, businesses should take steps to ensure that insurance policies cover all types of privacy violations. This can be accomplished with a tailored cyber liability insurance policy. These policies can cover a range of risks (e.g., data breach, media liability, extortion, and network security breach). However, every company is structured differently and each is exposed to a different set of risks. As such, mainstream insurance companies are now offering pre-packaged cyber liability insurance along with custom policies. In most instances, the language in an insurance policy is filled with complicated legal terms. So, it is recommended that you speak with an attorney to ensure that the insurance policy properly protects your company. You can also take steps to reduce your risk and cost of an insurance policy on your own. Insurance companies rely on the following factors in determining premiums: (1) general risk exposure of the industry; (2) general risk exposure of the size of company; (3) loss history; (4) years in business; (5) financial condition; (6) extent of use of outsourced network security services; (7) dependency on third-party networks; and (8) in-depth analysis of network security pursuant to standards (e.g., ISO 27001).
In sum, businesses cannot control all of these factors, but they can improve their financial condition and network security. You may contact us to speak to an attorney about your questions regarding cyber liability insurance.